Vulnerability in tkey-device-signer & verisigner

A vulnerability has been found in tkey-device-signer and verisigner that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client application and to touch the TKey.

In the official applications built and released by Tillitis it is not possible to reveal any sensitive assets, but you are still exhorted to update the client apps using the vulnerable device apps:

Also look for the forthcoming new version of tkey-verification.

For more details, see Tillitis Security Bulletin 240115-1.